# HG changeset patch # User Matt Johnston # Date 1248966873 0 # Node ID 52d7301e46bd66396cd57a70c1157cebc7da6b43 # Parent 7f66b8e40f2d0a2930e32b32a9fe07a119a76588 Agent forwarding works diff -r 7f66b8e40f2d -r 52d7301e46bd agentfwd.h --- a/agentfwd.h Wed Jul 29 02:58:33 2009 +0000 +++ b/agentfwd.h Thu Jul 30 15:14:33 2009 +0000 @@ -35,14 +35,16 @@ * 10000 is arbitrary */ #define MAX_AGENT_REPLY 10000 -int agentreq(struct ChanSess * chansess); -void agentcleanup(struct ChanSess * chansess); -void agentset(struct ChanSess *chansess); +int svr_agentreq(struct ChanSess * chansess); +void svr_agentcleanup(struct ChanSess * chansess); +void svr_agentset(struct ChanSess *chansess); /* client functions */ -void load_agent_keys(m_list * ret_list); +void cli_load_agent_keys(m_list * ret_list); void agent_buf_sign(buffer *sigblob, sign_key *key, const unsigned char *data, unsigned int len); +void cli_setup_agent(struct Channel *channel); + #ifdef __hpux #define seteuid(a) setresuid(-1, (a), -1) diff -r 7f66b8e40f2d -r 52d7301e46bd chansession.h --- a/chansession.h Wed Jul 29 02:58:33 2009 +0000 +++ b/chansession.h Thu Jul 30 15:14:33 2009 +0000 @@ -81,6 +81,7 @@ #ifdef ENABLE_CLI_NETCAT void cli_send_netcat_request(); #endif +void cli_start_send_channel_request(struct Channel *channel, unsigned char *type); void svr_chansessinitialise(); extern const struct ChanType svrchansess; diff -r 7f66b8e40f2d -r 52d7301e46bd cli-agentfwd.c --- a/cli-agentfwd.c Wed Jul 29 02:58:33 2009 +0000 +++ b/cli-agentfwd.c Thu Jul 30 15:14:33 2009 +0000 @@ -226,10 +226,20 @@ } } +void cli_setup_agent(struct Channel *channel) { + if (!getenv("SSH_AUTH_SOCK")) { + return; + } + + cli_start_send_channel_request(channel, "auth-agent-req@openssh.com"); + /* Don't want replies */ + buf_putbyte(ses.writepayload, 0); + encrypt_packet(); +} + /* Returned keys are prepended to ret_list, which will be updated. */ -void load_agent_keys(m_list *ret_list) -{ +void cli_load_agent_keys(m_list *ret_list) { /* agent_fd will be closed after successful auth */ cli_opts.agent_fd = connect_agent(); if (cli_opts.agent_fd < 0) { diff -r 7f66b8e40f2d -r 52d7301e46bd cli-authpubkey.c --- a/cli-authpubkey.c Wed Jul 29 02:58:33 2009 +0000 +++ b/cli-authpubkey.c Thu Jul 30 15:14:33 2009 +0000 @@ -187,10 +187,9 @@ TRACE(("enter cli_auth_pubkey")) - if (cli_opts.agent_fwd && - !cli_opts.agent_keys_loaded) { + if (!cli_opts.agent_keys_loaded) { /* get the list of available keys from the agent */ - load_agent_keys(cli_opts.privkeys); + cli_load_agent_keys(cli_opts.privkeys); cli_opts.agent_keys_loaded = 1; } diff -r 7f66b8e40f2d -r 52d7301e46bd cli-chansession.c --- a/cli-chansession.c Wed Jul 29 02:58:33 2009 +0000 +++ b/cli-chansession.c Thu Jul 30 15:14:33 2009 +0000 @@ -33,13 +33,12 @@ #include "runopts.h" #include "termcodes.h" #include "chansession.h" +#include "agentfwd.h" static void cli_closechansess(struct Channel *channel); static int cli_initchansess(struct Channel *channel); static void cli_chansessreq(struct Channel *channel); -static void start_channel_request(struct Channel *channel, unsigned char *type); - static void send_chansess_pty_req(struct Channel *channel); static void send_chansess_shell_req(struct Channel *channel); @@ -92,7 +91,7 @@ } -static void start_channel_request(struct Channel *channel, +void cli_start_send_channel_request(struct Channel *channel, unsigned char *type) { CHECKCLEARTOWRITE(); @@ -287,7 +286,7 @@ TRACE(("enter send_chansess_pty_req")) - start_channel_request(channel, "pty-req"); + cli_start_send_channel_request(channel, "pty-req"); /* Don't want replies */ buf_putbyte(ses.writepayload, 0); @@ -330,7 +329,7 @@ reqtype = "shell"; } - start_channel_request(channel, reqtype); + cli_start_send_channel_request(channel, reqtype); /* XXX TODO */ buf_putbyte(ses.writepayload, 0); /* Don't want replies */ @@ -361,6 +360,12 @@ cli_init_stdpipe_sess(channel); +#ifdef ENABLE_CLI_AGENTFWD + if (cli_opts.agent_fwd) { + cli_setup_agent(channel); + } +#endif + if (cli_opts.wantpty) { send_chansess_pty_req(channel); } diff -r 7f66b8e40f2d -r 52d7301e46bd cli-session.c --- a/cli-session.c Wed Jul 29 02:58:33 2009 +0000 +++ b/cli-session.c Thu Jul 30 15:14:33 2009 +0000 @@ -235,7 +235,7 @@ cli_send_netcat_request(); } else #endif - if (!cli_opts.no_cmd) { + if (!cli_opts.no_cmd) { cli_send_chansess_request(); } TRACE(("leave cli_sessionloop: running")) diff -r 7f66b8e40f2d -r 52d7301e46bd dbclient.1 --- a/dbclient.1 Wed Jul 29 02:58:33 2009 +0000 +++ b/dbclient.1 Thu Jul 30 15:14:33 2009 +0000 @@ -82,6 +82,11 @@ Always accept hostkeys if they are unknown. If a hostkey mismatch occurs the connection will abort as normal. .TP +.B \-A +Forward agent connections to the remote host. dbclient will use any +OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for +public key authentication. Forwarding is only enabled if -A is specified. +.TP .B \-W \fIwindowsize Specify the per-channel receive window buffer size. Increasing this may improve network performance at the expense of memory use. Use -h to see the diff -r 7f66b8e40f2d -r 52d7301e46bd debug.h --- a/debug.h Wed Jul 29 02:58:33 2009 +0000 +++ b/debug.h Thu Jul 30 15:14:33 2009 +0000 @@ -39,7 +39,7 @@ * Caution: Don't use this in an unfriendly environment (ie unfirewalled), * since the printing may not sanitise strings etc. This will add a reasonable * amount to your executable size. */ -#define DEBUG_TRACE +/*#define DEBUG_TRACE*/ /* All functions writing to the cleartext payload buffer call * CHECKCLEARTOWRITE() before writing. This is only really useful if you're diff -r 7f66b8e40f2d -r 52d7301e46bd signkey.c --- a/signkey.c Wed Jul 29 02:58:33 2009 +0000 +++ b/signkey.c Thu Jul 30 15:14:33 2009 +0000 @@ -84,7 +84,6 @@ #endif TRACE(("signkey_type_from_name unexpected key type.")) - printhex("Key type", name, namelen); return DROPBEAR_SIGNKEY_NONE; } diff -r 7f66b8e40f2d -r 52d7301e46bd svr-agentfwd.c --- a/svr-agentfwd.c Wed Jul 29 02:58:33 2009 +0000 +++ b/svr-agentfwd.c Thu Jul 30 15:14:33 2009 +0000 @@ -49,10 +49,12 @@ /* Handles client requests to start agent forwarding, sets up listening socket. * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ -int agentreq(struct ChanSess * chansess) { +int svr_agentreq(struct ChanSess * chansess) { int fd; + TRACE(("enter svr_agentreq")) + if (!svr_pubkey_allows_agentfwd()) { return DROPBEAR_FAILURE; } @@ -89,10 +91,12 @@ } return DROPBEAR_SUCCESS; + TRACE(("success")) fail: + TRACE(("fail")) /* cleanup */ - agentcleanup(chansess); + svr_agentcleanup(chansess); return DROPBEAR_FAILURE; } @@ -118,7 +122,7 @@ /* set up the environment variable pointing to the socket. This is called * just before command/shell execution, after dropping priveleges */ -void agentset(struct ChanSess * chansess) { +void svr_agentset(struct ChanSess * chansess) { char *path = NULL; int len; @@ -137,7 +141,7 @@ } /* close the socket, remove the socket-file */ -void agentcleanup(struct ChanSess * chansess) { +void svr_agentcleanup(struct ChanSess * chansess) { char *path = NULL; uid_t uid; diff -r 7f66b8e40f2d -r 52d7301e46bd svr-chansession.c --- a/svr-chansession.c Wed Jul 29 02:58:33 2009 +0000 +++ b/svr-chansession.c Thu Jul 30 15:14:33 2009 +0000 @@ -287,7 +287,7 @@ #endif #ifndef DISABLE_AGENTFWD - agentcleanup(chansess); + svr_agentcleanup(chansess); #endif /* clear child pid entries */ @@ -346,7 +346,7 @@ #endif #ifndef DISABLE_AGENTFWD } else if (strcmp(type, "auth-agent-req@openssh.com") == 0) { - ret = agentreq(chansess); + ret = svr_agentreq(chansess); #endif } else if (strcmp(type, "signal") == 0) { ret = sessionsignal(chansess); @@ -894,7 +894,7 @@ #endif #ifndef DISABLE_AGENTFWD /* set up agent env variable */ - agentset(chansess); + svr_agentset(chansess); #endif usershell = m_strdup(get_user_shell());